Protect Yourself

Recently I was attacked while on a business trip. It
happened as I was leaving an opera performance. (Even
geekoids have to get culture sometimes.) I’d like to say
that my lessons in self-defense paid off and, like Jackie
Chan, I deftly drop-kicked my assailant; or, like Stallone’s
Carter I decked him and then proceeded to punch the dust
out of him; or, like Indiana Jones I simply pulled out
my hand gun and blew him away. The truth is, I did none
of the above. Instead, I did what I had to to get away.

Yeah, I’m fine. Like the saying goes, nothing wounded
but my pride. And, after all, some good has come of it.
This month’s sermon, er, column is supposed to focus on
securing laptops. And it will. But I want you to understand
that securing computers that travel is more than technical
truisms and Windows 2000 configuration. Securing data
as it travels outside your enclave on portable computing
devices has two facets: the security of the laptop and
its data and the security of the person who carries it.

First Things First
I know you’re eager to adopt strong security policies
for your crew of road warriors, and those of you who travel
are anxious to know what they are. However, as travelers
there are personal safety rules we should follow first.
And, as employers, there are instructions, warnings and
advice we should be giving our employees. Indeed, we should
prioritize the personal safety of our employees higher
than that of their laptops. As you prepare your travelers
for battle, make sure you give them personal safety rules
and tools. I’m not saying you should force self-defense
classes on all employees (although that couldn’t hurt),
but I am saying all employees should be briefed on how
to keep themselves from harm. Oh, I know they don’t want
to hear a list of do’s and don’ts — the company isn’t
their mother; but I think you can find a way to put the
information out there. And where can you get some good
traveler’s advice? How about the U.S. National Counter
Intelligence Center (NACIC)? This organization works to
identify and counter foreign intelligence threats to U.S.
national and economic security. It seeks to coordinate
the efforts of the FBI, CIA, DIA, NSA, Office of the Secretary
of Defense, military services, and departments of State
and Energy and draws its employees from these organizations.

NACIC produces a little pamphlet entitled, “Your Passport
to a Safe Trip Abroad.” You can obtain any number of copies
by visiting its Web site at www.nacic.gov. Most of the
information is relevant to travel in this country as well.
Also on the site is a link to the State Department’s “Consular
Information Sheets” (http://travel.state.
gov/travel_warnings.html). These pages include information
on the location of U.S. embassies or consulates, health
conditions, minor political disturbances, and crime and
security information. It offers an excellent resource
when you do leave the country.

Tip

The NACIC site also provides information
on information warfare videos. These are case studies
of hacking events. The current one, “Solar Sunrise,”
documents hacks into military sites during the Gulf
War and is available from FilmComm Inc. You can purchase
a copy for $12.28 by calling (800) 944-9134. I’ve
seen this video — be sure to get a copy and use it
in your security-awareness sessions.

In addition, the NACIC booklet has some “handy” safety
tips, including a few jewels like the following on surviving
an airplane crash:

“Never release your seatbelt until the plane comes
to a complete stop and you have observed your surroundings.
If you find yourself upside down, releasing your seatbelt
could prove hazardous.”

Or, “If the plane breaks apart, consider using the
new holes as exits.”

Evaluate the Threat
No, I don’t think that someone lies in wait to steal my
laptop; but I do believe if given the opportunity, someone
would. No, I don’t believe I’ll be accosted and asked
to surrender it either — well, at least not anytime soon.
I also believe that every CEO and any other high-level
executive may have someone plotting to steal their laptop.
The difference here is one of risk, and there are two.

First, laptops are easy to take and, like car stereos
in the ’70s, are perceived as hot items that can easily
be changed into cash.

Second, laptops are likely to carry sensitive documents
that can be mined for competitive information. The reason
we travel with laptops is so we can do our jobs while
we’re on the road. The reason our competitors might wish
to steal them is to get that information. Why bother infiltrating
the castle when the king constantly travels with the jewels?

The question becomes not should you take some steps to
secure information that travels on laptops, but how far
should you go? If you think some of the steps here go
a little far, stop and examine for whom you’re designing
security standards and what your experiences have been.
Just as you design your network perimeter security based
on your knowledge of the raw and wild nature of the citizens
of the Net and the type of data you’re securing, you should
base your preparations for travelers with your eyes open
to knowledge of industrial espionage; information warfare;
street crime; and casual, “oh-I’d-like-to-have-one-of-those-so-I-think-I’ll-take-it”
ethics of the 21st century.

Give Them Weapons of Choice
Protecting your people and your data doesn’t just require
you to provide instructions on avoiding city streets at
night. You must arm your road warriors with weapons they
can use to fend off technical attacks. Two basic types
of protection are available.

Personal firewalls and intrusion-detection programs can
be used to protect data exposed when linking to the Internet.
Remember, to the traveler, the laptop is both the PC and
the boundary between friend and stranger. You wouldn’t
think of doing without basic perimeter defenses back at
the office, so why would you ignore it now? I’m not advocating
making everyone carry a firewall appliance — such as the
ones from SonicWALL (www.sonicwall.com)
or NetScreen Technologies (www2.netscreen.com)
— although that’s my personal choice.

Software-based products exist, so I list a few here.
For support purposes, you’re better off standardizing
one, providing it free of charge to anyone who asks, and
demanding its use by travelers and telecommuters. Some
of these items even offer rudimentary intrusion detection,
providing reports on just what an attacker is looking
at. Jammer from Agnitum (www.agnitum.com)
is a software-based intrusion-detection product that notifies
you of attacks, alerts you to attempts to change registry
entries, and detects and cleans Trojan installations.
Some good software-based personal firewalls are Norton
Internet security (www.symantec.com);
ZoneAlarm, which is free from Zone Labs (www.zonelabs.com);
McAfee’s ConSeal PC Firewall (www.signal9.com);
and BlackIce Defender from Network ICE Corp. (www.networkice.com).

I suggest you read firewall reviews (you can find some
at www.grc.com)
and thoroughly test the product before standardizing a
personal firewall.

Dress Them in Protective Gear
Next time you have a few minutes at the airport, see if
you can pick out who’s carrying the laptops you’d like
to steal. Do you imagine hidden treasures in the old lady’s
purse or the fat man’s duffel? No, you probably look for
the leather laptop bag carried by the well-dressed business
executive.

Now, I don’t want you to sacrifice padding, locking cases
and waterproof protection that some laptop bags may offer.
Nor do I suggest that your users pack their laptops in
their luggage, I’m just recommending that — when possible
— they not make it all that obvious. Specially outfitted
backpacks, those designed to carry laptops, make a good
choice.

Good Old-Fashioned Padlocks and
Modern Motion Sensitive Alarms Locks and alarms should be standard issue. For
less than $100 you can purchase lightweight cables, combination
locks and motion-sensitive alarms. These products won’t
keep the determined theft from grabbing the box, but he’d
have to plan the attack. Combinations and loud noises
will go a long way toward securing laptops from snatch-and-grab
attacks.

Power Stripping
Got your attention, didn’t I? Power surges, incompatible
power supplies and digital phone systems won’t allow others
to have your users’ data, but they may make it unusable
and even force you into shopping for a new laptop. Small,
lightweight surge protectors are readily available, as
are modem devices that detect whether a phone line is
safe or not.

Many of these products are for sale at computer superstores
and online retailers.

Exercise Native Strength
We all know that seatbelts save lives. But how many of
us wear them? A lot more than used to. Why? Because of
national, regional and local campaigns (and laws) to get
people to act on that knowledge and to use a simple device
that already exists in their automobiles.

Laptops don’t have seat belts, but we usually ignore
their safety devices as well. Don’t. There are several
security features of Windows 2000 that can protect data
on the road; learn how to use them.

Win2K’s Encrypting File System (EFS) allows authorized
users (any user with an account on a Win2K system) to
encrypt their own files. Files can’t be opened and read,
even by other authorized users with Read permission on
the file. The advantage here is twofold. First, honest
users won’t “accidentally” or casually read files. To
read the file, they’d have to either log on as you or
as the Recovery Agent. A Recovery Agent account exists
to restore the loss of encrypted files due to loss or
corruption of encryption keys. A malicious user can boot
to another OS and invalidate carefully constructed file
permissions, but encrypted files remain encrypted and
aren’t available to them. To properly use EFS:

Private keys should be backed up.

Encrypted files should never be moved to FAT folders
(since encryption requires the NTFS file system, files
would be decrypted before being placed in FAT). Only
the owner of the encrypted file can move it to a location
where it would become decrypted.

Encrypted files can be backed up by the Win2K backup
program. (Don’t use a third-party backup for encrypted
files until the backup software has been upgraded
to provide this feature). Backed up encrypted files
can be copied to FAT volumes and will remain encrypted.
Only the encrypted file owner can open the restored
encrypted file.

Encrypted files shouldn’t be accessed across the
network — unless you’ve provided other protective
mechanisms. The file will be decrypted and travel
over the wire in cleartext.

Folders should be marked for encryption — so that
merely placing files in the folder will encrypt them.
Encryption and decryption are transparent.

The temp folder should also be encrypted, or else
working with encrypted files may store unencrypted
files there.

To properly manage EFS for multiple users, install
certificate services and replace self-signed EFS certificates
with Enterprise CA-issued certificates. Create a Recovery
Agent group and policy. The danger with self-signed
certificates is the possibility of data loss if user
and Recovery Agent keys are lost or corrupt. There’s
no ability to add additional Recovery Agents or replace
the default Recovery Agent (Local Administrator account
on a stand-alone system, Domain Administrator in the
domain).

An encrypted file can be deleted. Use NTFS access
permissions to manage file access and don’t forget
to deny Delete capabilities to anyone but the owner
of the file.

Virtual Private Networks
If road warriors need to phone home (back to the office)
to share data, insist on the establishment of a VPN tunnel.
Setting up a VPN server using Routing and Remote Access
Services in Win2K is a piece of cake. Client services
come built in to Win2K Professional, Windows NT and Windows
9x systems. Make sure to load service packs and hotfixes
and teach users how to use the tunnel. Policies on the
server side can restrict the who-what-where-when-why of
connection, so set the encryption strength and limit network
access.

NTFS
It seems silly to bring this up five years after it was
introduced, but I’ve found many still don’t understand
how to use NTFS permissions properly to control access.
Even more important, there are differences in Win2K and
NT NTFS permissions — so even those who’ve used NTFS in
the past need a refresher course.

Part of the philosophy behind NTFS is the concept of
discretionary access — the owners of the files can set
permissions on them. While most administrators, myself
included, prefer to set file permissions for our users,
folks on the road are far away from our support. They
need to (and will be able to) change file permissions
on the files they create — so how about training them
how to do so properly? You can set systems file permissions,
or keep those installed by default, and protect them with
Group Policy and/or Security Analysis and Configuration.
But remember, users, or users’ bosses, are the closest
to knowing what should be protected in a given realm.
Ask them.

Security Templates and Group Policy
Use Security Configuration and Analysis to create a special
template for your travelers. Carefully review the existing
templates and modify one to suit your security policy.
Some recommendations:

If this laptop is a member of a Win2K domain, you can
further customize traveling laptop security by placing
all laptops in special Road Warrior Organizational Units
and creating a Group Policy for these users. You can import
this custom security template into the GPO for the OU
and further enhance security using other Group Policy
settings.

Supplement this enterprise Group Policy by creating a
local Group Policy. When users are on the road and can’t
get domain-wide GPO updates, the local Group Policy will
ensure appropriate settings are maintained. Don’t forget
to set Group Policy items that prevent updating of Group
Policies when users log in online. Import the security
template into the local Group Policy. Other sections of
local Group Policy, such as administrative templates,
can be used to limit user choices. You’ll want to investigate
things like removing access to the Control Panel, preventing
users from resetting Internet Explorer configurations,
and so on. To manage local Group Policy from the RUN window
(Start | Run), enter:

mmc c:\winnt\system32\gpedit.msc

This opens the two nodes of configuration: computer and
user. Take a sharp look at administrative templates and
set your controls wisely.

Disable Infrared Data Association
IrDA provides the ability to transfer files via infrared
— with no cables, NIC cards or 3.5-inch disks required.
It’s the best of things, and the worst. It’s good because
many files are too large for 3.5-inch disks and many travelers
don’t carry floppy drives. It’s bad because copying files
to another laptop doesn’t require the person copying the
file to have any permission on the receiving machine.
The receiver does get a warning window that asks if he
or she wants a file from the sender, but it’s a simple
OK-type choice. If users don’t understand or are working
quickly, they might click OK to get rid of the message
and receive a Trojan horse or virus without warning. To
prevent this, visit the Wireless Link applet in Control
Panel and uncheck the line, “Allow others to send files
to your computer using infrared communications.” If it
becomes necessary to copy a file, it’s easy to enable
infrared through the same applet.

A
Few Travel Tips from the NACIC

Getting ready for your trip:

Confirm lodging and travel reservations.

Obtain travelers checks.

Leave a copy of an itinerary with a relative
or close friend.

Take information on your health coverage.

Learn about the places you plan to visit. Familiarize
yourself with local laws and customs.

Make sure you have all official documents (driver’s
license, passport and so on).

Designate someone your family can call in case
of an emergency.

Carry an extra pair of eyeglasses and extra
necessary medication (along with a copy of the
prescription and the generic name of the drug)
in your carry-on luggage. Keep medications in
original containers.

Avoid inviting crime by dressing inconspicuously
and blending into your environment. Avoid the
appearance of being wealthy. Consider not taking,
or not wearing, any jewelry.

Use a closed nametag, one that keeps personal
information concealed from casual observation.

Don’t display company logos on your luggage.

Make copies of your driver’s license, credit
cards and passport. Keep this information separate
from the originals (this can speed the replacement
process should documents be lost or stolen).

Also take personal and medical information
such as phone number of relatives, insurance policy
numbers and phone numbers of credit card companies
to report loss or theft.

During your trip:

Never leave your wallet, purse or luggage unattended.

Know the location of emergency exits.

Don’t agree to carry a package for a stranger.

Keep your distance from unattended luggage.

Exit the airport as soon as possible.

Travel in a group whenever possible.

Be conscious of surroundings and avoid areas
that you believe may put you at personal risk.

Don’t flash large sums of money.

Be alert for surveillance — who’s paying attention
to you?

Train Everyone
If you’re going to do battle, train your troops and keep
them in training when they’re not on the battlefield.

Security is everyone’s business. You can’t possibly protect
your children from the big, bad world unless you help
them protect themselves. Give them everything from security
awareness (what can happen out there) to the how-to of
using the tools and weapons you’ve so thoughtfully supplied.
After all, what good is a firewall and intrusion-detection
system if users turn it off because they’re annoyed by
all of those warning notices and beeps? Of what use is
file encryption if users leave their systems logged on?

Require users to take normal precautionary measures like
the following:

Locking laptops to hotel room furniture when leaving
the room.

Carrying laptops in carry-on luggage.

Sliding laptops under the airplane seat rather than
putting them in the overhead compartments.

And consider asking them to make the following extra
precautions as much a part of their daily routine
as deodorant and happy hour:

For extra security, moving sensitive documents entirely
from the laptop onto a 3.5-inch disks or Zip drive
and keeping it on their person at all times. Files
won’t fit on removable media? Teach them how to remove
the laptop hard drive to keep with them at all times.

Reporting incidents involving attempts at computer
access or theft.

Inquiring about data ports in hotel and meeting
rooms. Many hotels use digital phone systems, so travelers
should request an analog port. Better yet, purchase
them a device that can detect the nature of the port
and only use “safe” ports.

Purchasing and using protective computer cases.
Cases should provide padding and be moisture-proof.

Purchasing protective computer cases that are easy
on the back. Invest in cases that can roll.

Logging on using a domain account. Cached logons
will allow this. Encrypted file keys are kept in user
profiles; files encrypted with a local logon account
won’t be accessible to the user’s domain account.

Using virus software and keeping it updated. (You
may offer this service through a connection to corporate
lines if licensed to do so and make the updates transparent
to the user.)

Keeping systems patched.

Whenever possible, not leaving the computer in a
hotel room. When they must, they should lock it and
set alarms.

If possible, placing sensitive data on a 3.5-inch
disk, not on the computer, and keeping the disk separate
from the systems.

When it’s not possible to take the computer, locking
it to something in the hotel room. The traveler should
also remove the hard drive and carry it or keep it
in the hotel safe.

If you and your fellow road warriors can follow these
simple rules, you should be able to make the next trip
a safe one. I hope I’ve stimulated some thoughts that’ll
help you develop your computer security and travel policies
in a manner that’ll protect not only traveling data, but
travelers as well.

Meanwhile, if someone who mumbles, “Your laptop or your
life,” accosts me on the street, I’m throwing my laptop
in one direction and running in the other.